Analyzing and Maintaining Access Control Infrastructures

Status

This project started on the 1st of September 2013 and is now closed.

Researchers

Prof. David Basin (ETH)
Carlos Cotrini (ETH)
Thilo Weghorn (ETH)
Claudiu Duma (Credit-Suisse)

Description

This project comprises three subprojects:
FORBAC: Different RBAC (Role-based access control) extensions have been proposed over the past few decades. These extensions have brought greater expressiveness in policy specification. However, the added expressiveness has also inadvertently brought greater difficulties in policy analysis. In this project we propose FORBAC, an extension that strikes a balance between expressiveness in policy specification and efficiency in policy analysis.
PEP Analysis: The implementation of business applications is often outsourced to external software development companies who cannot be trusted to implement access control procedures properly. This is one of the reasons why enforcing access control is one of the main issues in OWASP 2015. In this project we will develop methods for checking that before every security relevant section in the code, an authorization request is correctly sent to the PDP. By using static program analysis we will identify missing authorization requests as well as requests submitting altered context information.
Mining ABAC policies: When organizations become very large, access control lists become impractical for specifying access control policies. Organizations at this point should migrate from access control matrices to ABAC (Attribute-based access control) policies that assign permissions to users according to the users’ and the permissions’ attributes. This migration process requires intensive inspections of the users, the permissions, and the access control matrices and is mainly done manually, which makes it error prone. In this project, we shall propose procedures for automatically mining attribute-based policies from access control matrices.

Publications

Carlos Cotrini, Thilo Weghorn, David Basin, and Manuel Clavel
Analyzing First-order Role Based Access Control
IEEE Computer Security Foundations Symposium (CSF), 2015
[PDF]